Editcap Guide: 11 Examples To Handle Network Packet Dumps Effectively

This article is written by Balakrishnan M
Editcap utility is used to select or remove specific packets from dump file and translate them into a given format. Editcap does not perform packet captures like ethereal. Instead, it operates on the captured packets and writes some of the required packets into another file. We can pass various options to editcap to get our preferred packets.
In this article, let us review 11 practical examples on how-to use editcap to handle the packet dumps effectively.

Primary Purpose of editcap

Following are the main reason to use editcap command.

Divide a dump file into multiple files.

Select only the required packets.

Translate the capture file from one format to another.

Ability to read from a compressed dump file.

Make the job easier for network analyzer tool by loading only selective packets, instead of loading whole dump.

All feature results in less time consumption when processing or analyzing packets.

Let us assume the scenario where you have to analyze only some specific packet types in a huge dump file. In this situation, we cant use the network packet analyzer (wireshark or ethereal) to load the huge dump file in a single shoh, as it will be a CPU intensive process and the system may hang. Editicap utility makes the job easier by giving only relevant packets, so it could be loaded by network analyzer tool in quick time.
editcap is available in the wireshark package. Make sure wireshark/ethereal package is installed to use the editcap.

11 Practical Examples Of edicap Usage

Example 1: Discard set of packets from the beginning of input_dump file

The output_dump file will contain all packets except the first 10 packets.

# editcap -v input_dump output_dump 1-10

Example 2: Discard set of packets from the middle of input_dump file

The output_dump file will contain all packets except packets from 200 to 210.

The output_dump file will contain first 10 packets and packets from 100 and 200.

# editcap -r -v input_dump output_dump 1-10 100-200

Example 4: Change the encapsulation type of the capture file using option -T

By default the encapsulation type of the dump file is ether. The example below, translates the capture file into ieee-802-11-bsd format

# editcap -v -T ieee-802-11-radiotap input_dump output_dump

Example 5: Process the compressed input_dump files

editcap automatically detects the compressed capture file formats. Currently it supports for the gzip format. In the example below, it takes packets from the compressed input file and writes the first 10 packets and the packets in-between 100 and 200 into the output_dump file.

# editcap -r -v input_dump.gz output_dump 1-10 100-200

Example 6: Extract packets between a specific timeperiod using option -A and -B

This example create the output_dump, which contains the packets that are captured between the time mentioned in option A and the time mentioned in option B.

The example below looks back the previous frames to find the duplication. Finally it gives the dump which does not contain duplication.

# editcap -v -d input_dump output_dump

Example 9: Truncate the packets to the specific length using option -s

Produces the ouptut_dump file with packets length limited to 100. This can be very helpful under lot of situations. For example, you can use this method if you want to get only the IP layer of all the packets and does not require other layer.

Divide the single dump into multiple file and each contains specified number of packets.

# editcap -v -c 1000 input_dump output

If the input_dump contains 5000 packets, editcap will generate the following 5 different output files.

output-00000
output-00001
output-00002
output-00003
output-00004

Example 11: Remove certain bytes from the bottom of all packets using option -C

This example removes 10 bytes from every packets and writes into the output file. You can confirm this, by viewing the output file in wireshark, the frame layer of every packet will show “50 bytes bytes on wire, 40 bytes captured” (here the actual size of a packet is 50 bytes).

# editcap -C 10 input_dump output

This article was written by Balakrishnan Mariyappan. He is working in bk Systems (p) Ltd, and interested in contributing to the open source. The Geek Stuff welcomes your tips and guest articles.

It may be worth noting – the default output of the pcap files seems to be File type: Wireshark – pcapng. This is different from the input file I used – which was File type: Wireshark/tcpdump/… – libpcap. I had to re-run the edit file with the switch added ‘-F libpcap’ in order to make it to output the same format. (I am feeding these into scapy and scapy didn’t like the pcapng format). As a side note, I am testing the file format with capinfos.exe (bundled with WireShark along with editcap).

About The Geek Stuff

My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about Ramesh Natarajan and the blog.

Contact Us

Email Me :
Use this Contact Form to get in touch me with your comments, questions or suggestions about this site. You can also simply drop me a line to say hello!.